Analysis Overview
SHA256
52bed4d9c0fdb81bdc4abfd46b47b8f8fa2dcdd570fcdc94f300f087c8b3aa65
Threat Level: Known bad
The file 9E7DE6D79CCC935FA7C1B629155CA2EF.exe was found to be: Known bad.
Malicious Activity Summary
NanoCore
Nanocore family
Adds Run key to start application
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Drops file in Program Files directory
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-06 05:23
Signatures
Nanocore family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-06 05:23
Reported
2024-01-06 05:25
Platform
win7-20231215-en
Max time kernel
146s
Max time network
147s
Command Line
Signatures
NanoCore
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LAN Service = "C:\\Program Files (x86)\\LAN Service\\lansv.exe" | C:\Users\Admin\AppData\Local\Temp\9E7DE6D79CCC935FA7C1B629155CA2EF.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\9E7DE6D79CCC935FA7C1B629155CA2EF.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\LAN Service\lansv.exe | C:\Users\Admin\AppData\Local\Temp\9E7DE6D79CCC935FA7C1B629155CA2EF.exe | N/A |
| File opened for modification | C:\Program Files (x86)\LAN Service\lansv.exe | C:\Users\Admin\AppData\Local\Temp\9E7DE6D79CCC935FA7C1B629155CA2EF.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9E7DE6D79CCC935FA7C1B629155CA2EF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9E7DE6D79CCC935FA7C1B629155CA2EF.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9E7DE6D79CCC935FA7C1B629155CA2EF.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9E7DE6D79CCC935FA7C1B629155CA2EF.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9E7DE6D79CCC935FA7C1B629155CA2EF.exe
"C:\Users\Admin\AppData\Local\Temp\9E7DE6D79CCC935FA7C1B629155CA2EF.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "LAN Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1D9F.tmp"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "LAN Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1D22.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 5.tcp.eu.ngrok.io | udp |
| DE | 18.158.58.205:15464 | 5.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 5.tcp.eu.ngrok.io | udp |
| DE | 3.67.112.102:15464 | 5.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 5.tcp.eu.ngrok.io | udp |
| DE | 3.67.62.142:15464 | 5.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 5.tcp.eu.ngrok.io | udp |
| DE | 3.67.112.102:15464 | 5.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 5.tcp.eu.ngrok.io | udp |
| DE | 3.67.112.102:15464 | 5.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 5.tcp.eu.ngrok.io | udp |
| DE | 3.67.112.102:15464 | 5.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 5.tcp.eu.ngrok.io | udp |
| DE | 3.67.112.102:15464 | 5.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 5.tcp.eu.ngrok.io | udp |
| DE | 3.67.112.102:15464 | 5.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 5.tcp.eu.ngrok.io | udp |
| DE | 3.67.112.102:15464 | 5.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 5.tcp.eu.ngrok.io | udp |
| DE | 3.67.112.102:15464 | 5.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 5.tcp.eu.ngrok.io | udp |
| DE | 3.67.112.102:15464 | 5.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 5.tcp.eu.ngrok.io | udp |
| DE | 3.67.112.102:15464 | 5.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 5.tcp.eu.ngrok.io | udp |
| DE | 3.67.112.102:15464 | 5.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 5.tcp.eu.ngrok.io | udp |
| DE | 3.67.112.102:15464 | 5.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 5.tcp.eu.ngrok.io | udp |
| DE | 3.67.112.102:15464 | 5.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 5.tcp.eu.ngrok.io | udp |
| DE | 3.127.181.115:15464 | 5.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 5.tcp.eu.ngrok.io | udp |
| DE | 3.67.62.142:15464 | 5.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 5.tcp.eu.ngrok.io | udp |
| DE | 3.64.4.198:15464 | 5.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 5.tcp.eu.ngrok.io | udp |
| DE | 3.67.112.102:15464 | 5.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 5.tcp.eu.ngrok.io | udp |
| DE | 3.67.62.142:15464 | 5.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 5.tcp.eu.ngrok.io | udp |
| DE | 3.64.4.198:15464 | 5.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 5.tcp.eu.ngrok.io | udp |
| DE | 3.67.62.142:15464 | 5.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 5.tcp.eu.ngrok.io | udp |
| DE | 3.67.161.133:15464 | 5.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 5.tcp.eu.ngrok.io | udp |
| DE | 3.67.161.133:15464 | 5.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 5.tcp.eu.ngrok.io | udp |
| DE | 3.67.62.142:15464 | 5.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 5.tcp.eu.ngrok.io | udp |
| DE | 18.158.58.205:15464 | 5.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 5.tcp.eu.ngrok.io | udp |
| DE | 3.67.62.142:15464 | 5.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 5.tcp.eu.ngrok.io | udp |
| DE | 3.127.181.115:15464 | 5.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 5.tcp.eu.ngrok.io | udp |
Files
memory/2088-1-0x0000000074560000-0x0000000074B0B000-memory.dmp
memory/2088-2-0x0000000000A20000-0x0000000000A60000-memory.dmp
memory/2088-0-0x0000000074560000-0x0000000074B0B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp1D22.tmp
| MD5 | 51b770160f6c0ba58a36b76b46dd55a8 |
| SHA1 | b95f69729b634ae959f82586d87100c571d3d1e5 |
| SHA256 | 84466b7f8bcab52aeda5aac066bcea6281c0068062250d0a3486bd346bcd9170 |
| SHA512 | ba9f2216b4d797ae7cd3ef6d958e23df223d8ca89981600aa3de6b228e8694f672b673ea03e23c86a2797e389a869c0f8565926788d6e607a089612d325d6553 |
C:\Users\Admin\AppData\Local\Temp\tmp1D9F.tmp
| MD5 | 6b30dba7972c92c9a1b881e88c108b15 |
| SHA1 | f76207985cc5a1f70edb2fb5bd45678f195a4564 |
| SHA256 | 578f5b0ff051f02f8e0a67fc3424dad554fa9489875475ea624fbb63eabfcbf7 |
| SHA512 | e3dd368937f863cb07453de12173580fb63b8d3983db7119c24860f227c89ded76401c47607f5b1134d215d46fe2b40d4bc3d7299374f1e8abecdeaefc7b9099 |
memory/2088-10-0x0000000074560000-0x0000000074B0B000-memory.dmp
memory/2088-11-0x0000000074560000-0x0000000074B0B000-memory.dmp
memory/2088-12-0x0000000000A20000-0x0000000000A60000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-06 05:23
Reported
2024-01-06 05:25
Platform
win10v2004-20231222-en